Home Brew iPhone Malware Kit Makes Spying On Apple Devices Easy

Security
I cover crime, privacy and security in digital and physical forms.

Apple makes some of the most secure smartphones on the planet, as the FBI has found all too apparent in recent weeks. But when one has access to an iPhone, it's possible to quickly install malware that appears to be legitimate, as shown by a new software called Su-A-Cyder, which automates the process of creating quick and dirty spyware.

As shown in the video below, the tool can help spin up an "evil" Skype application. To run the malware, the user needs to connect a PC to an iPhone running any iOS, right up to the latest Apple OS 9.3.1. Once Su-A-Cyder is running, it installs an app that it's injected with malicious features with just a few command line entries. In the proof of concept, whilst the software does what the
Microsoft-owned app usually does, in the background data is quietly being siphoned off, from GPS locations to contacts.

Two provisos: any wannabe iOS hacker requires access to an unlocked iPhone for a few minutes and a decrypted version of whatever app they want to impersonate. The latter could be acquired from a pirate store, or simple
Google searches will reveal different versions to play with.

As well as adding malicious capability to the software, Su-A-Cyder also connects to Apple servers, creates new application signing certificates for the app and re-signs it so it appears "kosher", said Su-A-Cyder's creator Chilik Tamir. "Afterwards it installs the new developer provision on the device, and installs the evil application to the device," he explained.

There's little Apple has done wrong here, there's no real vulnerability. But Tamir has taken advantage of the ability for anyone with an Apple ID to upload apps to iPhones. He believes it's too easy to get an ID and install software. If anyone is ever caught spreading malware, and Apple revokes their account, they can simply get a new email, acquire a fresh ID and start creating iPhone spyware again, he noted.

"Anyone with access to a device can turn it into an attacking utility," said Tamir, chief architect for research and development at Mi3 Security. A malicious employee, he suggested, could grab a co-worker's iPhone and upload malware that looks like corporate software. "The same goes for healthcare apps... [the security] can be circumvented by anyone with an email," Tamir added.

Customers with iPhone 6s and 6s Plus at the Apple Ginza store in Tokyo, Japan. (Photo by Ken Ishii/Getty Images)

The apps will remain in a sandbox, where they're separated from other parts of iOS. But there's a way to get access to features of the phone by abusing private application programming interfaces - the app code that allows outside access to certain features. A malicious Skype app, for instance, could ask to access the user's camera, or geolocation, which the target would most likely agree to as it appears to come from a legitimate source.

This kind of attack could be particularly useful for those wanting to spy on family members. Many commercial malware types - mSpy and FlexiSpy being two notable examples - have similar requirements: access to the device and the time to upload the software. Those malware types are marketed as child monitoring applications, though concerns have been raised about their use on abused spouses. Su-A-Cyder shows those with little technical skill needn't pay to spy on devices of those close to them.

For those who have a strong passcode, Su-A-Cyder, or similar tools, might not be much of a threat. But even where iPhones are locked, there are ways to obtain data hidden within. Just this week researchers detailed ways around passcodes. Spaniard Jose Rodriguez, who has repeatedly uncovered iOS exploits in the past, found a way to acquire contacts and photos from iPhone 6S and 6S+ devices. Apple has now fixed the flaw.

Even though it brings plenty of security benefits, the iPhone can be hacked. It makes one wonder about how safe data is on competitor devices...

I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice Motherboard, Wired and BBC.com, amongst many others. I was named BT Security Journalist o...